Horizon dashboard and Ldap user listing results to 504 Gateway Time Out
Environment
Red Hat OpenStack Platform 13.0
Issue
- When integrating LDAP with openstack keystone times while fetching user list from LDAP server.
- It results in 504 Gateway Time-Out
Resolution
-
If using a LDAP back-end for authentication, add the following clause in
/etc/openldap/ldap.conf
on all controller nodes.NETWORK_TIMEOUT 2
-
Then we need to modify haproxy.cfg file on all controllers (file path:
/var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg
)defaults log global maxconn 8192 <===== ... timeout connect 10s timeout client 5m <===== timeout server 5m <===== ...
-
Early configuration should be as below
defaults log global maxconn 4096 mode tcp retries 3 timeout http-request 10s timeout queue 2m timeout connect 10s timeout client 2m timeout server 2m timeout check 10s
-
After modification it will look like below
defaults log global maxconn 8192 mode tcp retries 3 timeout http-request 10s timeout queue 2m timeout connect 10s timeout client 5m timeout server 5m timeout check 10s
-
Finally, restart keystone and haproxy:
docker restart keystone <<<<<< all controller node pcs resource restart haproxy-bundle
-
This can also be done via THT parameters to keep this changes permenant
(overcloud) [stack@undercloud-0 ~]$ cat virt/haproxy_cfg.yaml parameter_defaults: ControllerExtraConfig: tripleo::haproxy::haproxy_defaults_override: timeout: - 'http-request 10s' - 'queue 2m' - 'connect 10s' - 'client 5m' - 'server 5m' - 'check 10s' maxconn: 8192
Root Cause
- Keystone times out before the details are fetched from LDAP server
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments